Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

uberAgent-ESA-process-tagging.conf

The following is the uberAgent-ESA-process-tagging.conf configuration file that ships with uberAgent. It contains process tagging rules for use with uberAgent ESA.

#
# This is the configuration file for uberAgent that contains the ESA process tagging definitions.
# It is only required if uberAgent ESA is enabled.
# Place it in the same directory as uberAgent.exe
#

############################################
#
# Process.Start rules
#
############################################

[ProcessTaggingRule]
RuleName = Detect process starts from directories with a low mandatory integrity label
EventType = Process.Start
# MIC label format in the SDDL string: (ML;OICIID;;;;LW)
Process.DirectorySdSddl = \(ML;.*?;.*?;.*?;.*?;LW;?.*?\)
Tag = proc-start-dir-low-integrity

[ProcessTaggingRule]
RuleName = Detect processes started from directories that are user-writeable
EventType = Process.Start
Process.DirectoryUserWriteable = true
Tag = proc-start-dir-user-writeable

[ConfigBlockDefine name=ParentIsMsOffice]
Parent.Name = ^excel\.exe$
Parent.Name = ^msaccess\.exe$
Parent.Name = ^onenote\.exe$
Parent.Name = ^outlook\.exe$
Parent.Name = ^powerpnt\.exe$
Parent.Name = ^winword\.exe$
Parent.Company = ^Microsoft.*

[ConfigBlockDefine name=ProcessIsMsOffice]
Process.Name = ^excel\.exe$
Process.Name = ^msaccess\.exe$
Process.Name = ^onenote\.exe$
Process.Name = ^outlook\.exe$
Process.Name = ^powerpnt\.exe$
Process.Name = ^winword\.exe$
Process.Company = ^Microsoft.*

[ConfigBlockDefine name=ProcessIsNotBrowser]
Process.Name != ^chrome\.exe$
Process.Name != ^iexplore\.exe$
Process.Name != ^firefox\.exe$
Process.Name != ^msedge\.exe$
Process.Name != ^opera\.exe$

[ConfigBlockDefine name=ProcessIsNotPowerShell]
Process.Name != ^powershell\.exe$
Process.Name != ^pwsh\.exe$

[ConfigBlockDefine name=ProcessIsPowerShell]
Process.Name = ^powershell\.exe$
Process.Name = ^pwsh\.exe$

[ProcessTaggingRule]
RuleName = Detect script child processes of Microsoft Office applications
EventType = Process.Start
@ConfigBlockInsert ParentIsMsOffice
Process.Name = ^cmd\.exe$
Process.Name = ^cscript\.exe$
Process.Name = ^wscript\.exe$
Process.Name = ^ftp\.exe$
@ConfigBlockInsert ProcessIsPowerShell
Tag = proc-start-msoffice-child
RiskScore = 100

[ProcessTaggingRule]
RuleName = Detect child processes of Microsoft Office applications
EventType = Process.Start
@ConfigBlockInsert ParentIsMsOffice
# Ignore legitimate child processes
Process.Name != ^onenotem\.exe$
# The default browser is launched when clicking Account -> Switch account
@ConfigBlockInsert ProcessIsNotBrowser
# Word launches a Word child process (with the command line parameter "/embedding") when a document with the mark of the internet is double-clicked ("protected view")
Process.Name != ^winword\.exe$
# Other rule properties
Tag = proc-start-msoffice-child

[ProcessTaggingRule]
RuleName = Detect child processes of the WMI service
EventType = Process.Start
Parent.Name = ^wmiprvse\.exe$
Tag = proc-start-wmiservice-child

[ProcessTaggingRule]
RuleName = Detect child processes of Adobe Acrobat Reader
# Source: https://www.microsoft.com/security/blog/2019/02/22/recommendations-for-deploying-the-latest-attack-surface-reduction-rules-for-maximum-impact/
EventType = Process.Start
Parent.Name = ^acrord32\.exe$
Process.Name != ^RdrCEF\.exe$
Process.Name != ^acrord32\.exe$
Process.Name != ^AdobeARM\.exe$
Tag = proc-start-adobereader-child

[ProcessTaggingRule]
RuleName = Detect child processes (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Parent.Name = ^bash.exe\.exe$
Parent.Name = ^bitsadmin\.exe$
Parent.Name = ^diskshadow\.exe$
Parent.Name = ^forfiles\.exe$
Parent.Name = ^ftp\.exe$
Parent.Name = ^hh\.exe$
Parent.Name = ^ieexec\.exe$
Parent.Name = ^Microsoft\.Workflow\.Compiler\.exe$
Parent.Name = ^msconfig\.exe$
Parent.Name = ^pcalua\.exe$
Parent.Name = ^pcwrun\.exe$
Parent.Name = ^rundll32\.exe$
Parent.Name = ^scriptrunner\.exe$
Parent.Name = ^wmic\.exe$
Parent.Name = ^Appvlp\.exe$
Parent.Name = ^cdb\.exe$
Parent.Name = ^devtoolslauncher\.exe$
Parent.Name = ^dnx\.exe$
Parent.Name = ^dxcap\.exe$
Parent.Name = ^mftrace\.exe$
Parent.Name = ^msdeploy\.exe$
Parent.Name = ^Sqlps\.exe$
Parent.Name = ^SQLToolsPS\.exe$
Parent.Name = ^te\.exe$
Parent.Name = ^update\.exe$
Parent.Name = ^vsjitdebugger\.exe$
Parent.Name = ^wsl\.exe$
Parent.Name = ^squirrel\.exe$
Tag = proc-start-lolbas-child

[ProcessTaggingRule]
RuleName = Detect DLL load (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^dnscmd\.exe$
Process.CommandLine = [\/|-]serverlevelplugindll.*\\\\.*\.dll
Tag = proc-start-lolbas-dll-load

[ProcessTaggingRule]
RuleName = Detect DLL load (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^MavInject\.exe$
Process.CommandLine = [\/|-]INJECTRUNNING
Tag = proc-start-lolbas-dll-load

[ProcessTaggingRule]
RuleName = Detect starts from non-default locations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^ie4uinit\.exe$
Process.Name = ^cscript\.exe$
Process.Name = ^wscript\.exe$
Process.Name = ^cmd\.exe$
Process.Path != ^%SystemRoot%\\System32\\.*$
Process.Path != ^%SystemRoot%\\SysWOW64\\.*$
Tag = proc-start-lolbas-other-location

[ProcessTaggingRule]
RuleName = Detect compile and execute (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^Msbuild\.exe$
Process.CommandLine = \.csproj
Process.CommandLine = \.xml
Tag = proc-start-lolbas-compile-and-exec

[ProcessTaggingRule]
RuleName = Detect sct execute (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^regsvr32\.exe$
Process.CommandLine = \.sct.*scrobj\.dll
Tag = proc-start-lolbas-sct-exec

[ProcessTaggingRule]
RuleName = Detect proxy execution (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^reg\.exe$
Process.CommandLine = import.*\.reg.*&.*winrm.*quickconfig
Tag = proc-start-lolbas-proxy-exec

[ProcessTaggingRule]
RuleName = Detect event viewer UAC bypass (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Parent.Name = ^eventvwr\.exe$
Process.Name != ^mmc\.exe$
Tag = proc-start-lolbas-uac-bypass

[ProcessTaggingRule]
RuleName = Detect wsreset UAC bypass (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Parent.Name = ^wsreset\.exe$
Process.Name != ^conhost\.exe$
Tag = proc-start-lolbas-uac-bypass

[ProcessTaggingRule]
RuleName = Detect jsc compile (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^jsc\.exe$
Process.Commandline = \.js
Tag = proc-start-lolbas-compile

[ProcessTaggingRule]
RuleName = Detect csc compile (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^csc\.exe$
Process.Commandline = [\/|-]out:.*.exe.*.cs
Process.Commandline = [\/|-]target:library.*.cs
Tag = proc-start-lolbas-compile

[ProcessTaggingRule]
RuleName = Detect execution from alternate data streams (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^Certutil\.exe$
Process.Name = ^Cmd\.exe$
Process.Name = ^Control\.exe$
Process.Name = ^Cscript\.exe$
Process.Name = ^Esentutl\.exe$
Process.Name = ^Expand\.exe$
Process.Name = ^Extract32\.exe$
Process.Name = ^Findstr\.exe$
Process.Name = ^Makecab\.exe$
Process.Name = ^Mavinject\.exe$
Process.Name = ^Mshta\.exe$
Process.Name = ^Print\.exe$
Process.Name = ^Reg\.exe$
Process.Name = ^Regedit\.exe$
Process.Name = ^Sc\.exe$
Process.Name = ^Wmic\.exe$
Process.Name = ^Wscript\.exe$
Process.CommandLine = \w:\w
Tag = proc-start-lolbas-alternate-data-streams

[ProcessTaggingRule]
RuleName = Detect AWL bypass (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^rundll32\.exe$
Process.Commandline = dfshim.dll.*,.*ShOpenVerbApplication
Process.Commandline = advpack.dll.*,.*LaunchINFSection
Process.Commandline = ieadvpack.dll.*,.*LaunchINFSection
Process.Commandline = setupapi.dll.*,.*InstallHinfSection
Process.Commandline = syssetup.dll.*,.*SetupInfObjectInstallAction
Tag = proc-start-lolbas-awl-bypass

[ProcessTaggingRule]
RuleName = Detect encode and decode operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^certutil\.exe$
Process.Commandline = [\/|-]encode
Process.Commandline = [\/|-]decode
Tag = proc-start-lolbas-encode-decode

[ProcessTaggingRule]
RuleName = Detect esentutl.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^esentutl\.exe$
Process.Commandline = (?=.*[\/|-]y)(?=.*[\/|-]d)(?=.*[\/|-]o)
Process.Commandline = (?=.*[\/|-]y)(?=.*[\/|-]d)(?=.*[\/|-]vss)
Tag = proc-start-lolbas-copy

[ProcessTaggingRule]
RuleName = Detect expand.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^expand\.exe$
Process.Commandline = \S+\s+\S+
Tag = proc-start-lolbas-copy

[ProcessTaggingRule]
RuleName = Detect print.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^print\.exe$
Process.Commandline = [\/|-]D:\S+\s+\S+
Tag = proc-start-lolbas-copy

[ProcessTaggingRule]
RuleName = Detect replace.exe copy operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^replace\.exe$
Process.Commandline = [\/|-]A
Tag = proc-start-lolbas-copy

[ProcessTaggingRule]
RuleName = Detect certutil.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^certutil\.exe$
Process.Commandline = (?=.*[\/|-]urlcache)(?=.*[\/|-]split)(?=.*[\/|-]f)
Process.Commandline = (?=.*[\/|-]verifyctl)(?=.*[\/|-]split)(?=.*[\/|-]f)
Tag = proc-start-lolbas-download

[ProcessTaggingRule]
RuleName = Detect extrac32.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^extrac32\.exe$
Process.Commandline = (?=.*[\/|-]y)(?=.*[\/|-]c)
Tag = proc-start-lolbas-download

[ProcessTaggingRule]
RuleName = Detect findstr.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^findstr\.exe$
Process.Commandline = (?=.*[\/|-]v)(?=.*[\/|-]l)(?=.*>)
Tag = proc-start-lolbas-download

[ProcessTaggingRule]
RuleName = Detect makecab.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^makecab\.exe$
Process.Commandline = \S+\s+\S+
Tag = proc-start-lolbas-download

[ProcessTaggingRule]
RuleName = Detect squirrel.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^squirrel\.exe$
Process.Commandline = --download
Tag = proc-start-lolbas-download

[ProcessTaggingRule]
RuleName = Detect update.exe download operations (LOLBAS)
# Source: https://lolbas-project.github.io/
EventType = Process.Start
Process.Name = ^update\.exe$
Process.Commandline = --download
Tag = proc-start-lolbas-download

[ProcessTaggingRule]
RuleName = Detect Microsoft Office download operations (LOLBAS)
EventType = Process.Start
@ConfigBlockInsert ParentIsMsOffice
Process.Commandline = (http|https)
Tag = proc-start-lolbas-download

############################################
#
# Image.Load rules
#
############################################

[ConfigBlockDefine name=DLLIsMAPI]
Image.Name = ^mapi32\.dll$
Image.Name = ^msmapi32\.dll$
Image.Name = Microsoft\.Office\.Interop\.Outlook\S*\.dll$

[ProcessTaggingRule]
RuleName = Detect Microsoft Office applications executing macros that access WMI to create child processes
EventType = Image.Load
@ConfigBlockInsert ProcessIsMsOffice
Image.Name = ^wmiutil\.dll$
Tag = image-load-msoffice-wmi-child

[ProcessTaggingRule]
RuleName = Detect loading of MAPI DLLs from processes other than Outlook
EventType = Image.Load
@ConfigBlockInsert DLLIsMAPI
Process.Name != ^outlook\.exe$
Tag = image-load-MAPI

[ProcessTaggingRule]
RuleName = Detect loading of MAPI DLLs from scripts via Outlook
EventType = Image.Load
@ConfigBlockInsert DLLIsMAPI
Process.Name = ^outlook\.exe$
Process.CommandLine = -Embedding
Tag = image-load-MAPI-scripts

[ProcessTaggingRule]
RuleName = Suspicious DLL load paths by Office
#Source: https://github.com/Neo23x0/sigma
EventType = Image.Load
@ConfigBlockInsert ProcessIsMsOffice
Image.Path = ^%SystemRoot%\\assembly%
Image.Path = ^%SystemRoot%\\Microsoft.NET\assembly\GAC_MSIL
RiskScore = 75

[ProcessTaggingRule]
RuleName = Suspicious DLL loads by Office
#Source: https://github.com/Neo23x0/sigma
EventType = Image.Load
@ConfigBlockInsert ProcessIsMsOffice
Image.Name = ^clr\.dll$
Image.Name = ^dsparse\.dll$
Image.Name = ^kerberos\.dll$
Image.Name = ^VBE7\.dll$
Image.Name = ^VBEUI\.dll$
Image.Name = ^VBE7INTL\.dll$
Image.Name = ^wmiutils\.dll$
Image.Name = ^wbemcomn\.dll$
Image.Name = ^wbemprox\.dll$
Image.Name = ^wbemdisp\.dll$
Image.Name = ^wbemsvc\.dll$
RiskScore = 75

[ProcessTaggingRule]
RuleName = Detect loading of Powershell modules from processes other than PowerShell
EventType = Image.Load
Image.Name = ^system\.management\.automation\.dll$
Image.Name = ^system\.management\.automation\.ni\.dll$
@ConfigBlockInsert ProcessIsNotPowerShell
Tag = image-load-PowerShell

[ProcessTaggingRule]
RuleName = Svchost DLL search order hijack
#Source: https://github.com/Neo23x0/sigma
EventType = Image.Load
Process.Name = ^svchost\.exe$
Image.Name = ^tsmsisrv\.dll$
Image.Name = ^tsvipsrv\.dll$
Image.Name = ^wlbsctrl\.dll$
Image.Path != ^%SystemRoot%\\WinSxS
Tag = image-load-svchost-dll-search-order-hijack
RiskScore = 75

[ProcessTaggingRule]
RuleName = WMI modules load from processes other than WMI
#Source: https://github.com/Neo23x0/sigma
EventType = Image.Load
Process.Name = ^WmiPrvSe\.exe$
Process.Name = ^WmiAPsrv\.exe$
Process.Name = ^svchost\.exe$
Image.Name = ^wmiclnt\.dll$
Image.Name = ^WmiApRpl\.dll$
Image.Name = ^wmiprov\.dll$
Image.Name = ^wmiutils\.dll$
Image.Name = ^wbemcomn\.dll$
Image.Name = ^wbemprox\.dll$
Image.Name = ^WMINet_Utils\.dll$
Image.Name = ^wbemsvc\.dll$
Image.Name = ^fastprox\.dll$
Tag = image-load-wmi-modules
RiskScore = 75

[ProcessTaggingRule]
RuleName = WMI persistence - command line event consumer
#Source: https://github.com/Neo23x0/sigma
EventType = Image.Load
Process.Path = ^%SystemRoot%\\System32\\wbem\\WmiPrvSE\.exe$
Image.Name = ^wbemcons\.dll$
Tag = image-load-svchost-dll-search-order-hijack
RiskScore = 75

############################################
#
# Net.Send, Net.Receive, Net.Connect, Net.Reconnect, Net.Retransmit rules
#
############################################

[ConfigBlockDefine name=TargetIsNotPrivateNetworkIP]
# Add your own company networks
Net.Target.Ip != ^10\.
Net.Target.Ip != ^192\.168\.
Net.Target.Ip != ^172\.16\.
Net.Target.Ip != ^172\.17\.
Net.Target.Ip != ^172\.18\.
Net.Target.Ip != ^172\.19\.
Net.Target.Ip != ^172\.20\.
Net.Target.Ip != ^172\.21\.
Net.Target.Ip != ^172\.22\.
Net.Target.Ip != ^172\.23\.
Net.Target.Ip != ^172\.24\.
Net.Target.Ip != ^172\.25\.
Net.Target.Ip != ^172\.26\.
Net.Target.Ip != ^172\.27\.
Net.Target.Ip != ^172\.28\.
Net.Target.Ip != ^172\.29\.
Net.Target.Ip != ^172\.30\.
Net.Target.Ip != ^172\.31\.
Net.Target.Ip != ^127\.

[ConfigBlockDefine name=ProcessIsNotKnownRDPSoftware]
# Add your own RDP applications
Process.Name != ^mstsc\.exe$
Process.Name != ^RTSApp\.exe$
Process.Name != ^RTSApp2\.exe$
Process.Name != ^RDCMan\.exe$
Process.Name != ^ws_tunnelservice\.exe$
Process.Name != ^RSSensor\.exe$
Process.Name != ^RemoteDesktopManagerFree\.exe$
Process.Name != ^RemoteDesktopManager\.exe$
Process.Name != ^RemoteDesktopManager64\.exe$
Process.Name != ^mRemoteNG\.exe$
Process.Name != ^mRemote\.exe$
Process.Name != ^Terminals\.exe$
Process.Name != ^spiceworks-finder\.exe$
Process.Name != ^FSDiscovery\.exe$
Process.Name != ^FSAssessment\.exe$
Process.Name != ^MobaRTE\.exe$
Process.Name != ^chrome\.exe$
Process.Name != ^thor\.exe$
Process.Name != ^thor64\.exe$
Process.Name != ^RoyalTS\.exe$

[ProcessTaggingRule]
RuleName = Suspicious target names
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
Process.Path = ^%SystemRoot%
Net.Target.Name = dl\.dropboxusercontent\.com
Net.Target.Name = \.pastebin\.com
Net.Target.Name = \.githubusercontent\.com
Net.Target.Name = \.github\.com
Tag = net-connect-suspicious-target-names
RiskScore = 75

[ProcessTaggingRule]
RuleName = PowerShell outbound network connections
EventType = Net.Connect
@ConfigBlockInsert ProcessIsPowerShell
Process.User != ^NT AUTHORITY\\SYSTEM$
@ConfigBlockInsert TargetIsNotPrivateNetworkIP
Tag = net-connect-outbound-powershell-network

[ProcessTaggingRule]
RuleName = Suspicious outbound Kerberos connections
# Source: https://github.com/Neo23x0/sigma
EventType = Net.Connect
@ConfigBlockInsert ProcessIsNotBrowser
Process.Name != ^lsass\.exe$
@ConfigBlockInsert TargetIsNotPrivateNetworkIP
Net.Port = 88
Tag = net-connect-outbound-kerberos
RiskScore = 75

[ProcessTaggingRule]
RuleName = PowerShell remoting
EventType = Net.Connect
@ConfigBlockInsert ProcessIsPowerShell
Net.Port = 5985
Net.Port = 5986
Process.User != ^NT AUTHORITY\\NETWORK SERVICE$

[ProcessTaggingRule]
RuleName = Detect network connects from suspicious sources
EventType = Net.Connect
Process.Path = ^C:\\Users
Process.Path = ^%ALLUSERSPROFILE%
Process.Path = ^%ProgramData%
Process.Path = ^%SystemRoot%\\Temp
Process.Path = $Recycle.bin$
Process.Path = ^%Systemdrive%:\\Perflogs
Process.Path = config\\systemprofile
Process.Path = ^%SystemRoot%\\Fonts
Process.Path = ^%SystemRoot%\\IME
Process.Path = ^%SystemRoot%\\addins
Tag = net-connect-suspicious-sources

[ProcessTaggingRule]
RuleName = Detect network connects from Windows processes
EventType = Net.Connect
Process.Name = ^at\.exe$
Process.Name = ^certutil\.exe$
Process.Name = ^cmd\.exe$
Process.Name = ^cmstp\.exe$
Process.Name = ^cscript\.exe$
Process.Name = ^driverquery\.exe$
Process.Name = ^dsquery\.exe$
Process.Name = ^hh\.exe$
Process.Name = ^infDefaultInstall\.exe$
Process.Name = ^mmc\.exe$
Process.Name = ^msbuild\.exe$
Process.Name = ^mshta\.exe$
Process.Name = ^msiexec\.exe$
Process.Name = ^nbtstat\.exe$
Process.Name = ^net\.exe$
Process.Name = ^net1\.exe$
Process.Name = ^notepad\.exe$
Process.Name = ^nslookup\.exe$
Process.Name = ^qprocess\.exe$
Process.Name = ^qwinsta\.exe$
Process.Name = ^qwinsta\.exe$
Process.Name = ^reg\.exe$
Process.Name = ^regsvcs\.exe$
Process.Name = ^regsvr32\.exe$
Process.Name = ^rundll32\.exe$
Process.Name = ^rwinsta\.exe$
Process.Name = ^sc\.exe$
Process.Name = ^schtasks\.exe$
Process.Name = ^taskkill\.exe$
Process.Name = ^tasklist\.exe$
Process.Name = ^wmic\.exe$
Process.Name = ^wscript\.exe$
@ConfigBlockInsert ProcessIsPowerShell
Tag = net-connect-Windows-processes

[ProcessTaggingRule]
RuleName = Detect network connects from third-party tools
EventType = Net.Connect
Process.Name = ^java\.exe$
Process.Name = ^javaw\.exe$
Process.Name = ^javaws\.exe$
Process.Name = ^nc\.exe$
Process.Name = ^ncat\.exe$
Process.Name = ^psexec\.exe$
Process.Name = ^psexesvc\.exe$
Process.Name = ^tor\.exe$
Process.Name = ^vnc\.exe$
Process.Name = ^vncservice\.exe$
Process.Name = ^vncviewer\.exe$
Process.Name = ^winexesvc\.exe$
Process.Name = ^nmap\.exe$
Process.Name = ^psinfo\.exe$
Tag = net-connect-third-party-processes

[ProcessTaggingRule]
RuleName = RDP connects from non-RDP software indicating lateral movement
# Source: https://github.com/Neo23x0/sigma
@ConfigBlockInsert ProcessIsNotKnownRDPSoftware
Net.Target.Port = 3389
Tag = net-connect-suspicious-RDP-connects

[ProcessTaggingRule]
RuleName = Detect network connects to suspicious ports
EventType = Net.Connect
# SSH
Net.Target.Port = 22
# Telnet
Net.Target.Port = 23
# SMTP
Net.Target.Port = 25
# IMAP
Net.Target.Port = 142
# VNC
Net.Target.Port = 5800
Net.Target.Port = 5900
# Socks proxy
Net.Target.Port = 1080
Net.Target.Port = 3128
Net.Target.Port = 8080
# Tor
Net.Target.Port = 1723
Net.Target.Port = 4500
Net.Target.Port = 9001
Net.Target.Port = 9030
Tag = net-connect-suspicious-ports

[ProcessTaggingRule]
RuleName = Detect network connects to 80 and 443 from non-browser applications
EventType = Net.Connect
@ConfigBlockInsert ProcessIsNotBrowser
Process.Name != ^uberAgent\.exe$
Net.Target.Port = 80
Net.Target.Port = 443
Tag = net-connect-80-443-non-browser
RiskScore = 25

Leave a Reply

Your email address will not be published. Required fields are marked *